From a32df01165540836d4a56b66081d283d5a002ffc Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sun, 19 Jan 2020 11:32:04 -0600 Subject: [PATCH] Revamp operator example Use Elastic Cloud for Kubernetes instead of the UPMC Enterprises operator. --- k8s/eck-cerebro.yaml | 69 ++ k8s/eck-elasticsearch.yaml | 19 + k8s/eck-filebeat.yaml | 168 ++++ k8s/eck-kibana.yaml | 17 + k8s/eck-operator.yaml | 1802 ++++++++++++++++++++++++++++++++++++ slides/k8s/operators.md | 306 +++++- 6 files changed, 2342 insertions(+), 39 deletions(-) create mode 100644 k8s/eck-cerebro.yaml create mode 100644 k8s/eck-elasticsearch.yaml create mode 100644 k8s/eck-filebeat.yaml create mode 100644 k8s/eck-kibana.yaml create mode 100644 k8s/eck-operator.yaml diff --git a/k8s/eck-cerebro.yaml b/k8s/eck-cerebro.yaml new file mode 100644 index 00000000..73f23e0a --- /dev/null +++ b/k8s/eck-cerebro.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cerebro + name: cerebro +spec: + selector: + matchLabels: + app: cerebro + template: + metadata: + labels: + app: cerebro + spec: + volumes: + - name: conf + configMap: + name: cerebro + containers: + - image: lmenezes/cerebro + name: cerebro + volumeMounts: + - name: conf + mountPath: /conf + args: + - -Dconfig.file=/conf/application.conf + env: + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: demo-es-elastic-user + key: elastic + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: cerebro + name: cerebro +spec: + ports: + - port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: cerebro + type: NodePort +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cerebro +data: + application.conf: | + secret = "ki:s:[[@=Ag?QI`W2jMwkY:eqvrJ]JqoJyi2axj3ZvOv^/KavOT4ViJSv?6YY4[N" + + hosts = [ + { + host = "http://demo-es-http.eck-demo.svc.cluster.local:9200" + name = "demo" + auth = { + username = "elastic" + password = ${?ELASTICSEARCH_PASSWORD} + } + } + ] diff --git a/k8s/eck-elasticsearch.yaml b/k8s/eck-elasticsearch.yaml new file mode 100644 index 00000000..f1142b3e --- /dev/null +++ b/k8s/eck-elasticsearch.yaml @@ -0,0 +1,19 @@ +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: demo + namespace: eck-demo +spec: + http: + tls: + selfSignedCertificate: + disabled: true + nodeSets: + - name: default + count: 1 + config: + node.data: true + node.ingest: true + node.master: true + node.store.allow_mmap: false + version: 7.5.1 diff --git a/k8s/eck-filebeat.yaml b/k8s/eck-filebeat.yaml new file mode 100644 index 00000000..a4aa2928 --- /dev/null +++ b/k8s/eck-filebeat.yaml @@ -0,0 +1,168 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-config + namespace: eck-demo + labels: + k8s-app: filebeat +data: + filebeat.yml: |- + filebeat.inputs: + - type: container + paths: + - /var/log/containers/*.log + processors: + - add_kubernetes_metadata: + host: ${NODE_NAME} + matchers: + - logs_path: + logs_path: "/var/log/containers/" + + # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this: + #filebeat.autodiscover: + # providers: + # - type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true + # hints.default_config: + # type: container + # paths: + # - /var/log/containers/*${data.kubernetes.container.id}.log + + processors: + - add_cloud_metadata: + - add_host_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: filebeat + namespace: eck-demo + labels: + k8s-app: filebeat +spec: + selector: + matchLabels: + k8s-app: filebeat + template: + metadata: + labels: + k8s-app: filebeat + spec: + serviceAccountName: filebeat + terminationGracePeriodSeconds: 30 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: filebeat + image: docker.elastic.co/beats/filebeat:7.5.1 + args: [ + "-c", "/etc/filebeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: demo-es-http + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: demo-es-elastic-user + key: elastic + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + # If using Red Hat OpenShift uncomment this: + #privileged: true + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data + mountPath: /usr/share/filebeat/data + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: config + configMap: + defaultMode: 0600 + name: filebeat-config + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log + # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart + - name: data + hostPath: + path: /var/lib/filebeat-data + type: DirectoryOrCreate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: filebeat +subjects: +- kind: ServiceAccount + name: filebeat + namespace: eck-demo +roleRef: + kind: ClusterRole + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: filebeat + labels: + k8s-app: filebeat +rules: +- apiGroups: [""] # "" indicates the core API group + resources: + - namespaces + - pods + verbs: + - get + - watch + - list +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: filebeat + namespace: eck-demo + labels: + k8s-app: filebeat +--- diff --git a/k8s/eck-kibana.yaml b/k8s/eck-kibana.yaml new file mode 100644 index 00000000..21cc09c8 --- /dev/null +++ b/k8s/eck-kibana.yaml @@ -0,0 +1,17 @@ +apiVersion: kibana.k8s.elastic.co/v1 +kind: Kibana +metadata: + name: demo +spec: + version: 7.5.1 + count: 1 + elasticsearchRef: + name: demo + namespace: eck-demo + http: + service: + spec: + type: NodePort + tls: + selfSignedCertificate: + disabled: true diff --git a/k8s/eck-operator.yaml b/k8s/eck-operator.yaml new file mode 100644 index 00000000..9736a156 --- /dev/null +++ b/k8s/eck-operator.yaml @@ -0,0 +1,1802 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: apmservers.apm.k8s.elastic.co +spec: + additionalPrinterColumns: + - JSONPath: .status.health + name: health + type: string + - JSONPath: .status.availableNodes + description: Available nodes + name: nodes + type: integer + - JSONPath: .spec.version + description: APM version + name: version + type: string + - JSONPath: .metadata.creationTimestamp + name: age + type: date + group: apm.k8s.elastic.co + names: + categories: + - elastic + kind: ApmServer + listKind: ApmServerList + plural: apmservers + shortNames: + - apm + singular: apmserver + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: ApmServer represents an APM Server resource in a Kubernetes cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ApmServerSpec holds the specification of an APM Server. + properties: + config: + description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' + type: object + count: + description: Count of APM Server instances to deploy. + format: int32 + type: integer + elasticsearchRef: + description: ElasticsearchRef is a reference to the output Elasticsearch + cluster running in the same Kubernetes cluster. + properties: + name: + description: Name of the Kubernetes object. + type: string + namespace: + description: Namespace of the Kubernetes object. If empty, defaults + to the current namespace. + type: string + required: + - name + type: object + http: + description: HTTP holds the HTTP layer configuration for the APM Server + resource. + properties: + service: + description: Service defines the template for the associated Kubernetes + Service object. + properties: + metadata: + description: ObjectMeta is the metadata of the service. The + name and namespace provided here are managed by ECK and will + be ignored. + type: object + spec: + description: Spec is the specification of the service. + properties: + clusterIP: + description: 'clusterIP is the IP address of the service + and is usually assigned randomly by the master. If an + address is specified manually and is not in use by others, + it will be allocated to the service; otherwise, creation + of the service will fail. This field can not be changed + through updates. Valid values are "None", empty string + (""), or a valid IP address. "None" can be specified for + headless services when proxying is not required. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + externalIPs: + description: externalIPs is a list of IP addresses for which + nodes in the cluster will also accept traffic for this + service. These IPs are not managed by Kubernetes. The + user is responsible for ensuring that traffic arrives + at a node with this IP. A common example is external + load-balancers that are not part of the Kubernetes system. + items: + type: string + type: array + externalName: + description: externalName is the external reference that + kubedns or equivalent will return as a CNAME record for + this service. No proxying will be involved. Must be a + valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) + and requires Type to be ExternalName. + type: string + externalTrafficPolicy: + description: externalTrafficPolicy denotes if this Service + desires to route external traffic to node-local or cluster-wide + endpoints. "Local" preserves the client source IP and + avoids a second hop for LoadBalancer and Nodeport type + services, but risks potentially imbalanced traffic spreading. + "Cluster" obscures the client source IP and may cause + a second hop to another node, but should have good overall + load-spreading. + type: string + healthCheckNodePort: + description: healthCheckNodePort specifies the healthcheck + nodePort for the service. If not specified, HealthCheckNodePort + is created by the service api backend with the allocated + nodePort. Will use user-specified nodePort value if specified + by the client. Only effects when Type is set to LoadBalancer + and ExternalTrafficPolicy is set to Local. + format: int32 + type: integer + ipFamily: + description: ipFamily specifies whether this Service has + a preference for a particular IP family (e.g. IPv4 vs. + IPv6). If a specific IP family is requested, the clusterIP + field will be allocated from that family, if it is available + in the cluster. If no IP family is requested, the cluster's + primary IP family will be used. Other IP fields (loadBalancerIP, + loadBalancerSourceRanges, externalIPs) and controllers + which allocate external load-balancers should use the + same IP family. Endpoints for this Service will be of + this family. This field is immutable after creation. + Assigning a ServiceIPFamily not available in the cluster + (e.g. IPv6 in IPv4 only cluster) is an error condition + and will fail during clusterIP assignment. + type: string + loadBalancerIP: + description: 'Only applies to Service Type: LoadBalancer + LoadBalancer will get created with the IP specified in + this field. This feature depends on whether the underlying + cloud-provider supports specifying the loadBalancerIP + when a load balancer is created. This field will be ignored + if the cloud-provider does not support the feature.' + type: string + loadBalancerSourceRanges: + description: 'If specified and supported by the platform, + this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client + IPs. This field will be ignored if the cloud-provider + does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' + items: + type: string + type: array + ports: + description: 'The list of ports that are exposed by this + service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + items: + description: ServicePort contains information on service's + port. + properties: + name: + description: The name of this port within the service. + This must be a DNS_LABEL. All ports within a ServiceSpec + must have unique names. When considering the endpoints + for a Service, this must match the 'name' field + in the EndpointPort. Optional if only one ServicePort + is defined on this service. + type: string + nodePort: + description: 'The port on each node on which this + service is exposed when type=NodePort or LoadBalancer. + Usually assigned by the system. If specified, it + will be allocated to the service if unused or else + creation of the service will fail. Default is to + auto-allocate a port if the ServiceType of this + Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' + format: int32 + type: integer + port: + description: The port that will be exposed by this + service. + format: int32 + type: integer + protocol: + description: The IP protocol for this port. Supports + "TCP", "UDP", and "SCTP". Default is TCP. + type: string + targetPort: + anyOf: + - type: string + - type: integer + description: 'Number or name of the port to access + on the pods targeted by the service. Number must + be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + If this is a string, it will be looked up as a named + port in the target Pod''s container ports. If this + is not specified, the value of the ''port'' field + is used (an identity map). This field is ignored + for services with clusterIP=None, and should be + omitted or set equal to the ''port'' field. More + info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' + required: + - port + type: object + type: array + publishNotReadyAddresses: + description: publishNotReadyAddresses, when set to true, + indicates that DNS implementations must publish the notReadyAddresses + of subsets for the Endpoints associated with the Service. + The default value is false. The primary use case for setting + this field is to use a StatefulSet's Headless Service + to propagate SRV records for its Pods without respect + to their readiness for purpose of peer discovery. + type: boolean + selector: + additionalProperties: + type: string + description: 'Route service traffic to pods with label keys + and values matching this selector. If empty or not present, + the service is assumed to have an external process managing + its endpoints, which Kubernetes will not modify. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' + type: object + sessionAffinity: + description: 'Supports "ClientIP" and "None". Used to maintain + session affinity. Enable client IP based session affinity. + Must be ClientIP or None. Defaults to None. More info: + https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + sessionAffinityConfig: + description: sessionAffinityConfig contains the configurations + of session affinity. + properties: + clientIP: + description: clientIP contains the configurations of + Client IP based session affinity. + properties: + timeoutSeconds: + description: timeoutSeconds specifies the seconds + of ClientIP type session sticky time. The value + must be >0 && <=86400(for 1 day) if ServiceAffinity + == "ClientIP". Default value is 10800(for 3 hours). + format: int32 + type: integer + type: object + type: object + type: + description: 'type determines how the Service is exposed. + Defaults to ClusterIP. Valid options are ExternalName, + ClusterIP, NodePort, and LoadBalancer. "ExternalName" + maps to the specified externalName. "ClusterIP" allocates + a cluster-internal IP address for load-balancing to endpoints. + Endpoints are determined by the selector or if that is + not specified, by manual construction of an Endpoints + object. If clusterIP is "None", no virtual IP is allocated + and the endpoints are published as a set of endpoints + rather than a stable IP. "NodePort" builds on ClusterIP + and allocates a port on every node which routes to the + clusterIP. "LoadBalancer" builds on NodePort and creates + an external load-balancer (if supported in the current + cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + type: string + type: object + type: object + tls: + description: TLS defines options for configuring TLS for HTTP. + properties: + certificate: + description: "Certificate is a reference to a Kubernetes secret + that contains the certificate and private key for enabling + TLS. The referenced secret should contain the following: \n + - `ca.crt`: The certificate authority (optional). - `tls.crt`: + The certificate (or a chain). - `tls.key`: The private key + to the first certificate in the certificate chain." + properties: + secretName: + description: SecretName is the name of the secret. + type: string + type: object + selfSignedCertificate: + description: SelfSignedCertificate allows configuring the self-signed + certificate generated by the operator. + properties: + disabled: + description: Disabled indicates that the provisioning of + the self-signed certifcate should be disabled. + type: boolean + subjectAltNames: + description: SubjectAlternativeNames is a list of SANs to + include in the generated HTTP TLS certificate. + items: + description: SubjectAlternativeName represents a SAN entry + in a x509 certificate. + properties: + dns: + description: DNS is the DNS name of the subject. + type: string + ip: + description: IP is the IP address of the subject. + type: string + type: object + type: array + type: object + type: object + type: object + image: + description: Image is the APM Server Docker image to deploy. + type: string + podTemplate: + description: PodTemplate provides customisation options (labels, annotations, + affinity rules, resource requests, and so on) for the APM Server pods. + type: object + secureSettings: + description: 'SecureSettings is a list of references to Kubernetes secrets + containing sensitive configuration options for APM Server. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-apm-server.html#k8s-apm-secure-settings' + items: + description: SecretSource defines a data source based on a Kubernetes + Secret. + properties: + entries: + description: Entries define how to project each key-value pair + in the secret to filesystem paths. If not defined, all keys + will be projected to similarly named paths in the filesystem. + If defined, only the specified keys will be projected to the + corresponding paths. + items: + description: KeyToPath defines how to map a key in a Secret + object to a filesystem path. + properties: + key: + description: Key is the key contained in the secret. + type: string + path: + description: Path is the relative file path to map the key + to. Path must not be an absolute file path and must not + contain any ".." components. + type: string + required: + - key + type: object + type: array + secretName: + description: SecretName is the name of the secret. + type: string + required: + - secretName + type: object + type: array + version: + description: Version of the APM Server. + type: string + type: object + status: + description: ApmServerStatus defines the observed state of ApmServer + properties: + associationStatus: + description: Association is the status of any auto-linking to Elasticsearch + clusters. + type: string + availableNodes: + format: int32 + type: integer + health: + description: ApmServerHealth expresses the status of the Apm Server + instances. + type: string + secretTokenSecret: + description: SecretTokenSecretName is the name of the Secret that contains + the secret token + type: string + service: + description: ExternalService is the name of the service the agents should + connect to. + type: string + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1alpha1 + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: elasticsearches.elasticsearch.k8s.elastic.co +spec: + additionalPrinterColumns: + - JSONPath: .status.health + name: health + type: string + - JSONPath: .status.availableNodes + description: Available nodes + name: nodes + type: integer + - JSONPath: .spec.version + description: Elasticsearch version + name: version + type: string + - JSONPath: .status.phase + name: phase + type: string + - JSONPath: .metadata.creationTimestamp + name: age + type: date + group: elasticsearch.k8s.elastic.co + names: + categories: + - elastic + kind: Elasticsearch + listKind: ElasticsearchList + plural: elasticsearches + shortNames: + - es + singular: elasticsearch + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Elasticsearch represents an Elasticsearch resource in a Kubernetes + cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ElasticsearchSpec holds the specification of an Elasticsearch + cluster. + properties: + http: + description: HTTP holds HTTP layer settings for Elasticsearch. + properties: + service: + description: Service defines the template for the associated Kubernetes + Service object. + properties: + metadata: + description: ObjectMeta is the metadata of the service. The + name and namespace provided here are managed by ECK and will + be ignored. + type: object + spec: + description: Spec is the specification of the service. + properties: + clusterIP: + description: 'clusterIP is the IP address of the service + and is usually assigned randomly by the master. If an + address is specified manually and is not in use by others, + it will be allocated to the service; otherwise, creation + of the service will fail. This field can not be changed + through updates. Valid values are "None", empty string + (""), or a valid IP address. "None" can be specified for + headless services when proxying is not required. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + externalIPs: + description: externalIPs is a list of IP addresses for which + nodes in the cluster will also accept traffic for this + service. These IPs are not managed by Kubernetes. The + user is responsible for ensuring that traffic arrives + at a node with this IP. A common example is external + load-balancers that are not part of the Kubernetes system. + items: + type: string + type: array + externalName: + description: externalName is the external reference that + kubedns or equivalent will return as a CNAME record for + this service. No proxying will be involved. Must be a + valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) + and requires Type to be ExternalName. + type: string + externalTrafficPolicy: + description: externalTrafficPolicy denotes if this Service + desires to route external traffic to node-local or cluster-wide + endpoints. "Local" preserves the client source IP and + avoids a second hop for LoadBalancer and Nodeport type + services, but risks potentially imbalanced traffic spreading. + "Cluster" obscures the client source IP and may cause + a second hop to another node, but should have good overall + load-spreading. + type: string + healthCheckNodePort: + description: healthCheckNodePort specifies the healthcheck + nodePort for the service. If not specified, HealthCheckNodePort + is created by the service api backend with the allocated + nodePort. Will use user-specified nodePort value if specified + by the client. Only effects when Type is set to LoadBalancer + and ExternalTrafficPolicy is set to Local. + format: int32 + type: integer + ipFamily: + description: ipFamily specifies whether this Service has + a preference for a particular IP family (e.g. IPv4 vs. + IPv6). If a specific IP family is requested, the clusterIP + field will be allocated from that family, if it is available + in the cluster. If no IP family is requested, the cluster's + primary IP family will be used. Other IP fields (loadBalancerIP, + loadBalancerSourceRanges, externalIPs) and controllers + which allocate external load-balancers should use the + same IP family. Endpoints for this Service will be of + this family. This field is immutable after creation. + Assigning a ServiceIPFamily not available in the cluster + (e.g. IPv6 in IPv4 only cluster) is an error condition + and will fail during clusterIP assignment. + type: string + loadBalancerIP: + description: 'Only applies to Service Type: LoadBalancer + LoadBalancer will get created with the IP specified in + this field. This feature depends on whether the underlying + cloud-provider supports specifying the loadBalancerIP + when a load balancer is created. This field will be ignored + if the cloud-provider does not support the feature.' + type: string + loadBalancerSourceRanges: + description: 'If specified and supported by the platform, + this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client + IPs. This field will be ignored if the cloud-provider + does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' + items: + type: string + type: array + ports: + description: 'The list of ports that are exposed by this + service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + items: + description: ServicePort contains information on service's + port. + properties: + name: + description: The name of this port within the service. + This must be a DNS_LABEL. All ports within a ServiceSpec + must have unique names. When considering the endpoints + for a Service, this must match the 'name' field + in the EndpointPort. Optional if only one ServicePort + is defined on this service. + type: string + nodePort: + description: 'The port on each node on which this + service is exposed when type=NodePort or LoadBalancer. + Usually assigned by the system. If specified, it + will be allocated to the service if unused or else + creation of the service will fail. Default is to + auto-allocate a port if the ServiceType of this + Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' + format: int32 + type: integer + port: + description: The port that will be exposed by this + service. + format: int32 + type: integer + protocol: + description: The IP protocol for this port. Supports + "TCP", "UDP", and "SCTP". Default is TCP. + type: string + targetPort: + anyOf: + - type: string + - type: integer + description: 'Number or name of the port to access + on the pods targeted by the service. Number must + be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + If this is a string, it will be looked up as a named + port in the target Pod''s container ports. If this + is not specified, the value of the ''port'' field + is used (an identity map). This field is ignored + for services with clusterIP=None, and should be + omitted or set equal to the ''port'' field. More + info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' + required: + - port + type: object + type: array + publishNotReadyAddresses: + description: publishNotReadyAddresses, when set to true, + indicates that DNS implementations must publish the notReadyAddresses + of subsets for the Endpoints associated with the Service. + The default value is false. The primary use case for setting + this field is to use a StatefulSet's Headless Service + to propagate SRV records for its Pods without respect + to their readiness for purpose of peer discovery. + type: boolean + selector: + additionalProperties: + type: string + description: 'Route service traffic to pods with label keys + and values matching this selector. If empty or not present, + the service is assumed to have an external process managing + its endpoints, which Kubernetes will not modify. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' + type: object + sessionAffinity: + description: 'Supports "ClientIP" and "None". Used to maintain + session affinity. Enable client IP based session affinity. + Must be ClientIP or None. Defaults to None. More info: + https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + sessionAffinityConfig: + description: sessionAffinityConfig contains the configurations + of session affinity. + properties: + clientIP: + description: clientIP contains the configurations of + Client IP based session affinity. + properties: + timeoutSeconds: + description: timeoutSeconds specifies the seconds + of ClientIP type session sticky time. The value + must be >0 && <=86400(for 1 day) if ServiceAffinity + == "ClientIP". Default value is 10800(for 3 hours). + format: int32 + type: integer + type: object + type: object + type: + description: 'type determines how the Service is exposed. + Defaults to ClusterIP. Valid options are ExternalName, + ClusterIP, NodePort, and LoadBalancer. "ExternalName" + maps to the specified externalName. "ClusterIP" allocates + a cluster-internal IP address for load-balancing to endpoints. + Endpoints are determined by the selector or if that is + not specified, by manual construction of an Endpoints + object. If clusterIP is "None", no virtual IP is allocated + and the endpoints are published as a set of endpoints + rather than a stable IP. "NodePort" builds on ClusterIP + and allocates a port on every node which routes to the + clusterIP. "LoadBalancer" builds on NodePort and creates + an external load-balancer (if supported in the current + cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + type: string + type: object + type: object + tls: + description: TLS defines options for configuring TLS for HTTP. + properties: + certificate: + description: "Certificate is a reference to a Kubernetes secret + that contains the certificate and private key for enabling + TLS. The referenced secret should contain the following: \n + - `ca.crt`: The certificate authority (optional). - `tls.crt`: + The certificate (or a chain). - `tls.key`: The private key + to the first certificate in the certificate chain." + properties: + secretName: + description: SecretName is the name of the secret. + type: string + type: object + selfSignedCertificate: + description: SelfSignedCertificate allows configuring the self-signed + certificate generated by the operator. + properties: + disabled: + description: Disabled indicates that the provisioning of + the self-signed certifcate should be disabled. + type: boolean + subjectAltNames: + description: SubjectAlternativeNames is a list of SANs to + include in the generated HTTP TLS certificate. + items: + description: SubjectAlternativeName represents a SAN entry + in a x509 certificate. + properties: + dns: + description: DNS is the DNS name of the subject. + type: string + ip: + description: IP is the IP address of the subject. + type: string + type: object + type: array + type: object + type: object + type: object + image: + description: Image is the Elasticsearch Docker image to deploy. + type: string + nodeSets: + description: 'NodeSets allow specifying groups of Elasticsearch nodes + sharing the same configuration and Pod templates. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-orchestration.html' + items: + description: NodeSet is the specification for a group of Elasticsearch + nodes sharing the same configuration and a Pod template. + properties: + config: + description: Config holds the Elasticsearch configuration. + type: object + count: + description: Count of Elasticsearch nodes to deploy. + format: int32 + minimum: 1 + type: integer + name: + description: Name of this set of nodes. Becomes a part of the + Elasticsearch node.name setting. + maxLength: 23 + pattern: '[a-zA-Z0-9-]+' + type: string + podTemplate: + description: PodTemplate provides customisation options (labels, + annotations, affinity rules, resource requests, and so on) for + the Pods belonging to this NodeSet. + type: object + volumeClaimTemplates: + description: 'VolumeClaimTemplates is a list of persistent volume + claims to be used by each Pod in this NodeSet. Every claim in + this list must have a matching volumeMount in one of the containers + defined in the PodTemplate. Items defined here take precedence + over any default claims added by the operator with the same + name. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-volume-claim-templates.html' + items: + description: PersistentVolumeClaim is a user's request for and + claim to a persistent volume + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of + this representation of an object. Servers should convert + recognized schemas to the latest internal value, and may + reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + type: object + spec: + description: 'Spec defines the desired characteristics of + a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + accessModes: + description: 'AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: This field requires the VolumeSnapshotDataSource + alpha feature gate to be enabled and currently VolumeSnapshot + is the only supported data source. If the provisioner + can support VolumeSnapshot data source, it will create + a new volume and data will be restored to the volume + at the same time. If the provisioner does not support + VolumeSnapshot data source, volume will not be created + and the failure will be reported as an event. In the + future, we plan to support more data source types + and the behavior of the provisioner may change. + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + resources: + description: 'Resources represents the minimum resources + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + type: string + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + type: string + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + selector: + description: A label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + storageClassName: + description: 'Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is implied + when not included in claim spec. This is a beta feature. + type: string + volumeName: + description: VolumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + status: + description: 'Status represents the current information/status + of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + accessModes: + description: 'AccessModes contains the actual access + modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + capacity: + additionalProperties: + type: string + description: Represents the actual resources of the + underlying volume. + type: object + conditions: + description: Current Condition of persistent volume + claim. If underlying persistent volume is being resized + then the Condition will be set to 'ResizeStarted'. + items: + description: PersistentVolumeClaimCondition contails + details about state of pvc + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned + from one status to another. + format: date-time + type: string + message: + description: Human-readable message indicating + details about last transition. + type: string + reason: + description: Unique, this should be a short, machine + understandable string that gives the reason + for condition's last transition. If it reports + "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: PersistentVolumeClaimConditionType + is a valid value of PersistentVolumeClaimCondition.Type + type: string + required: + - status + - type + type: object + type: array + phase: + description: Phase represents the current phase of PersistentVolumeClaim. + type: string + type: object + type: object + type: array + required: + - count + - name + type: object + minItems: 1 + type: array + podDisruptionBudget: + description: PodDisruptionBudget provides access to the default pod + disruption budget for the Elasticsearch cluster. The default budget + selects all cluster pods and sets `maxUnavailable` to 1. To disable, + set `PodDisruptionBudget` to the empty value (`{}` in YAML). + properties: + metadata: + description: ObjectMeta is the metadata of the PDB. The name and + namespace provided here are managed by ECK and will be ignored. + type: object + spec: + description: Spec is the specification of the PDB. + properties: + maxUnavailable: + anyOf: + - type: string + - type: integer + description: An eviction is allowed if at most "maxUnavailable" + pods selected by "selector" are unavailable after the eviction, + i.e. even in absence of the evicted pod. For example, one + can prevent all voluntary evictions by specifying 0. This + is a mutually exclusive setting with "minAvailable". + minAvailable: + anyOf: + - type: string + - type: integer + description: An eviction is allowed if at least "minAvailable" + pods selected by "selector" will still be available after + the eviction, i.e. even in the absence of the evicted pod. So + for example you can prevent all voluntary evictions by specifying + "100%". + selector: + description: Label query over pods whose evictions are managed + by the disruption budget. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + secureSettings: + description: 'SecureSettings is a list of references to Kubernetes secrets + containing sensitive configuration options for Elasticsearch. See: + https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html' + items: + description: SecretSource defines a data source based on a Kubernetes + Secret. + properties: + entries: + description: Entries define how to project each key-value pair + in the secret to filesystem paths. If not defined, all keys + will be projected to similarly named paths in the filesystem. + If defined, only the specified keys will be projected to the + corresponding paths. + items: + description: KeyToPath defines how to map a key in a Secret + object to a filesystem path. + properties: + key: + description: Key is the key contained in the secret. + type: string + path: + description: Path is the relative file path to map the key + to. Path must not be an absolute file path and must not + contain any ".." components. + type: string + required: + - key + type: object + type: array + secretName: + description: SecretName is the name of the secret. + type: string + required: + - secretName + type: object + type: array + updateStrategy: + description: UpdateStrategy specifies how updates to the cluster should + be performed. + properties: + changeBudget: + description: ChangeBudget defines the constraints to consider when + applying changes to the Elasticsearch cluster. + properties: + maxSurge: + description: MaxSurge is the maximum number of new pods that + can be created exceeding the original number of pods defined + in the specification. MaxSurge is only taken into consideration + when scaling up. Setting a negative value will disable the + restriction. Defaults to unbounded if not specified. + format: int32 + type: integer + maxUnavailable: + description: MaxUnavailable is the maximum number of pods that + can be unavailable (not ready) during the update due to circumstances + under the control of the operator. Setting a negative value + will disable this restriction. Defaults to 1 if not specified. + format: int32 + type: integer + type: object + type: object + version: + description: Version of Elasticsearch. + type: string + required: + - nodeSets + type: object + status: + description: ElasticsearchStatus defines the observed state of Elasticsearch + properties: + availableNodes: + format: int32 + type: integer + health: + description: ElasticsearchHealth is the health of the cluster as returned + by the health API. + type: string + phase: + description: ElasticsearchOrchestrationPhase is the phase Elasticsearch + is in from the controller point of view. + type: string + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1alpha1 + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: kibanas.kibana.k8s.elastic.co +spec: + additionalPrinterColumns: + - JSONPath: .status.health + name: health + type: string + - JSONPath: .status.availableNodes + description: Available nodes + name: nodes + type: integer + - JSONPath: .spec.version + description: Kibana version + name: version + type: string + - JSONPath: .metadata.creationTimestamp + name: age + type: date + group: kibana.k8s.elastic.co + names: + categories: + - elastic + kind: Kibana + listKind: KibanaList + plural: kibanas + shortNames: + - kb + singular: kibana + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Kibana represents a Kibana resource in a Kubernetes cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KibanaSpec holds the specification of a Kibana instance. + properties: + config: + description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' + type: object + count: + description: Count of Kibana instances to deploy. + format: int32 + type: integer + elasticsearchRef: + description: ElasticsearchRef is a reference to an Elasticsearch cluster + running in the same Kubernetes cluster. + properties: + name: + description: Name of the Kubernetes object. + type: string + namespace: + description: Namespace of the Kubernetes object. If empty, defaults + to the current namespace. + type: string + required: + - name + type: object + http: + description: HTTP holds the HTTP layer configuration for Kibana. + properties: + service: + description: Service defines the template for the associated Kubernetes + Service object. + properties: + metadata: + description: ObjectMeta is the metadata of the service. The + name and namespace provided here are managed by ECK and will + be ignored. + type: object + spec: + description: Spec is the specification of the service. + properties: + clusterIP: + description: 'clusterIP is the IP address of the service + and is usually assigned randomly by the master. If an + address is specified manually and is not in use by others, + it will be allocated to the service; otherwise, creation + of the service will fail. This field can not be changed + through updates. Valid values are "None", empty string + (""), or a valid IP address. "None" can be specified for + headless services when proxying is not required. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + externalIPs: + description: externalIPs is a list of IP addresses for which + nodes in the cluster will also accept traffic for this + service. These IPs are not managed by Kubernetes. The + user is responsible for ensuring that traffic arrives + at a node with this IP. A common example is external + load-balancers that are not part of the Kubernetes system. + items: + type: string + type: array + externalName: + description: externalName is the external reference that + kubedns or equivalent will return as a CNAME record for + this service. No proxying will be involved. Must be a + valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) + and requires Type to be ExternalName. + type: string + externalTrafficPolicy: + description: externalTrafficPolicy denotes if this Service + desires to route external traffic to node-local or cluster-wide + endpoints. "Local" preserves the client source IP and + avoids a second hop for LoadBalancer and Nodeport type + services, but risks potentially imbalanced traffic spreading. + "Cluster" obscures the client source IP and may cause + a second hop to another node, but should have good overall + load-spreading. + type: string + healthCheckNodePort: + description: healthCheckNodePort specifies the healthcheck + nodePort for the service. If not specified, HealthCheckNodePort + is created by the service api backend with the allocated + nodePort. Will use user-specified nodePort value if specified + by the client. Only effects when Type is set to LoadBalancer + and ExternalTrafficPolicy is set to Local. + format: int32 + type: integer + ipFamily: + description: ipFamily specifies whether this Service has + a preference for a particular IP family (e.g. IPv4 vs. + IPv6). If a specific IP family is requested, the clusterIP + field will be allocated from that family, if it is available + in the cluster. If no IP family is requested, the cluster's + primary IP family will be used. Other IP fields (loadBalancerIP, + loadBalancerSourceRanges, externalIPs) and controllers + which allocate external load-balancers should use the + same IP family. Endpoints for this Service will be of + this family. This field is immutable after creation. + Assigning a ServiceIPFamily not available in the cluster + (e.g. IPv6 in IPv4 only cluster) is an error condition + and will fail during clusterIP assignment. + type: string + loadBalancerIP: + description: 'Only applies to Service Type: LoadBalancer + LoadBalancer will get created with the IP specified in + this field. This feature depends on whether the underlying + cloud-provider supports specifying the loadBalancerIP + when a load balancer is created. This field will be ignored + if the cloud-provider does not support the feature.' + type: string + loadBalancerSourceRanges: + description: 'If specified and supported by the platform, + this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client + IPs. This field will be ignored if the cloud-provider + does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' + items: + type: string + type: array + ports: + description: 'The list of ports that are exposed by this + service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + items: + description: ServicePort contains information on service's + port. + properties: + name: + description: The name of this port within the service. + This must be a DNS_LABEL. All ports within a ServiceSpec + must have unique names. When considering the endpoints + for a Service, this must match the 'name' field + in the EndpointPort. Optional if only one ServicePort + is defined on this service. + type: string + nodePort: + description: 'The port on each node on which this + service is exposed when type=NodePort or LoadBalancer. + Usually assigned by the system. If specified, it + will be allocated to the service if unused or else + creation of the service will fail. Default is to + auto-allocate a port if the ServiceType of this + Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' + format: int32 + type: integer + port: + description: The port that will be exposed by this + service. + format: int32 + type: integer + protocol: + description: The IP protocol for this port. Supports + "TCP", "UDP", and "SCTP". Default is TCP. + type: string + targetPort: + anyOf: + - type: string + - type: integer + description: 'Number or name of the port to access + on the pods targeted by the service. Number must + be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + If this is a string, it will be looked up as a named + port in the target Pod''s container ports. If this + is not specified, the value of the ''port'' field + is used (an identity map). This field is ignored + for services with clusterIP=None, and should be + omitted or set equal to the ''port'' field. More + info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' + required: + - port + type: object + type: array + publishNotReadyAddresses: + description: publishNotReadyAddresses, when set to true, + indicates that DNS implementations must publish the notReadyAddresses + of subsets for the Endpoints associated with the Service. + The default value is false. The primary use case for setting + this field is to use a StatefulSet's Headless Service + to propagate SRV records for its Pods without respect + to their readiness for purpose of peer discovery. + type: boolean + selector: + additionalProperties: + type: string + description: 'Route service traffic to pods with label keys + and values matching this selector. If empty or not present, + the service is assumed to have an external process managing + its endpoints, which Kubernetes will not modify. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' + type: object + sessionAffinity: + description: 'Supports "ClientIP" and "None". Used to maintain + session affinity. Enable client IP based session affinity. + Must be ClientIP or None. Defaults to None. More info: + https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + sessionAffinityConfig: + description: sessionAffinityConfig contains the configurations + of session affinity. + properties: + clientIP: + description: clientIP contains the configurations of + Client IP based session affinity. + properties: + timeoutSeconds: + description: timeoutSeconds specifies the seconds + of ClientIP type session sticky time. The value + must be >0 && <=86400(for 1 day) if ServiceAffinity + == "ClientIP". Default value is 10800(for 3 hours). + format: int32 + type: integer + type: object + type: object + type: + description: 'type determines how the Service is exposed. + Defaults to ClusterIP. Valid options are ExternalName, + ClusterIP, NodePort, and LoadBalancer. "ExternalName" + maps to the specified externalName. "ClusterIP" allocates + a cluster-internal IP address for load-balancing to endpoints. + Endpoints are determined by the selector or if that is + not specified, by manual construction of an Endpoints + object. If clusterIP is "None", no virtual IP is allocated + and the endpoints are published as a set of endpoints + rather than a stable IP. "NodePort" builds on ClusterIP + and allocates a port on every node which routes to the + clusterIP. "LoadBalancer" builds on NodePort and creates + an external load-balancer (if supported in the current + cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + type: string + type: object + type: object + tls: + description: TLS defines options for configuring TLS for HTTP. + properties: + certificate: + description: "Certificate is a reference to a Kubernetes secret + that contains the certificate and private key for enabling + TLS. The referenced secret should contain the following: \n + - `ca.crt`: The certificate authority (optional). - `tls.crt`: + The certificate (or a chain). - `tls.key`: The private key + to the first certificate in the certificate chain." + properties: + secretName: + description: SecretName is the name of the secret. + type: string + type: object + selfSignedCertificate: + description: SelfSignedCertificate allows configuring the self-signed + certificate generated by the operator. + properties: + disabled: + description: Disabled indicates that the provisioning of + the self-signed certifcate should be disabled. + type: boolean + subjectAltNames: + description: SubjectAlternativeNames is a list of SANs to + include in the generated HTTP TLS certificate. + items: + description: SubjectAlternativeName represents a SAN entry + in a x509 certificate. + properties: + dns: + description: DNS is the DNS name of the subject. + type: string + ip: + description: IP is the IP address of the subject. + type: string + type: object + type: array + type: object + type: object + type: object + image: + description: Image is the Kibana Docker image to deploy. + type: string + podTemplate: + description: PodTemplate provides customisation options (labels, annotations, + affinity rules, resource requests, and so on) for the Kibana pods + type: object + secureSettings: + description: 'SecureSettings is a list of references to Kubernetes secrets + containing sensitive configuration options for Kibana. See: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-kibana.html#k8s-kibana-secure-settings' + items: + description: SecretSource defines a data source based on a Kubernetes + Secret. + properties: + entries: + description: Entries define how to project each key-value pair + in the secret to filesystem paths. If not defined, all keys + will be projected to similarly named paths in the filesystem. + If defined, only the specified keys will be projected to the + corresponding paths. + items: + description: KeyToPath defines how to map a key in a Secret + object to a filesystem path. + properties: + key: + description: Key is the key contained in the secret. + type: string + path: + description: Path is the relative file path to map the key + to. Path must not be an absolute file path and must not + contain any ".." components. + type: string + required: + - key + type: object + type: array + secretName: + description: SecretName is the name of the secret. + type: string + required: + - secretName + type: object + type: array + version: + description: Version of Kibana. + type: string + type: object + status: + description: KibanaStatus defines the observed state of Kibana + properties: + associationStatus: + description: AssociationStatus is the status of an association resource. + type: string + availableNodes: + format: int32 + type: integer + health: + description: KibanaHealth expresses the status of the Kibana instances. + type: string + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1alpha1 + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator +rules: +- apiGroups: + - "" + resources: + - pods + - endpoints + - events + - persistentvolumeclaims + - secrets + - services + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - elasticsearch.k8s.elastic.co + resources: + - elasticsearches + - elasticsearches/status + - elasticsearches/finalizers + - enterpriselicenses + - enterpriselicenses/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - kibana.k8s.elastic.co + resources: + - kibanas + - kibanas/status + - kibanas/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apm.k8s.elastic.co + resources: + - apmservers + - apmservers/status + - apmservers/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - associations.k8s.elastic.co + resources: + - apmserverelasticsearchassociations + - apmserverelasticsearchassociations/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: elastic-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: elastic-operator +subjects: +- kind: ServiceAccount + name: elastic-operator + namespace: elastic-system + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: elastic-system + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: elastic-operator + namespace: elastic-system + labels: + control-plane: elastic-operator +spec: + selector: + matchLabels: + control-plane: elastic-operator + serviceName: elastic-operator + template: + metadata: + labels: + control-plane: elastic-operator + spec: + serviceAccountName: elastic-operator + containers: + - image: docker.elastic.co/eck/eck-operator:1.0.0 + name: manager + args: ["manager", "--operator-roles", "all", "--log-verbosity=0"] + env: + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: WEBHOOK_SECRET + value: elastic-webhook-server-cert + - name: WEBHOOK_PODS_LABEL + value: elastic-operator + - name: OPERATOR_IMAGE + value: docker.elastic.co/eck/eck-operator:1.0.0 + resources: + limits: + cpu: 1 + memory: 150Mi + requests: + cpu: 100m + memory: 50Mi + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: elastic-webhook-server-cert + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elastic-operator + namespace: elastic-system + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: elastic-webhook.k8s.elastic.co +webhooks: + - clientConfig: + caBundle: Cg== + service: + name: elastic-webhook-server + namespace: elastic-system + path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch + failurePolicy: Ignore + name: elastic-es-validation-v1.k8s.elastic.co + rules: + - apiGroups: + - elasticsearch.k8s.elastic.co + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - elasticsearches + - clientConfig: + caBundle: Cg== + service: + name: elastic-webhook-server + namespace: elastic-system + path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch + failurePolicy: Ignore + name: elastic-es-validation-v1beta1.k8s.elastic.co + rules: + - apiGroups: + - elasticsearch.k8s.elastic.co + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - elasticsearches +--- +apiVersion: v1 +kind: Service +metadata: + name: elastic-webhook-server + namespace: elastic-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: elastic-operator +--- +apiVersion: v1 +kind: Secret +metadata: + name: elastic-webhook-server-cert + namespace: elastic-system diff --git a/slides/k8s/operators.md b/slides/k8s/operators.md index b43f275f..5280bbf7 100644 --- a/slides/k8s/operators.md +++ b/slides/k8s/operators.md @@ -121,7 +121,7 @@ Examples: ## One operator in action -- We will install the UPMC Enterprises ElasticSearch operator +- We will install [Elastic Cloud on Kubernetes](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html), an ElasticSearch operator - This operator requires PersistentVolumes @@ -206,51 +206,92 @@ Now, the StorageClass should have `(default)` next to its name. ## Install the ElasticSearch operator -- The operator needs: +- The operator provides: - - a Deployment for its controller + - a few CustomResourceDefinitions + - a Namespace for its other resources + - a ValidatingWebhookConfiguration for type checking + - a StatefulSet for its controller and webhook code - a ServiceAccount, ClusterRole, ClusterRoleBinding for permissions - - a Namespace -- We have grouped all the definitions for these resources in a YAML file +- All these resources are grouped in a convenient YAML file .exercise[ - Install the operator: ```bash - kubectl apply -f ~/container.training/k8s/elasticsearch-operator.yaml + kubectl apply -f ~/container.training/k8s/eck-operator.yaml ``` ] --- -## Wait for the operator to be ready +## Check our new custom resources -- Some operators require to create their CRDs separately - -- This operator will create its CRD itself - - (i.e. the CRD is not listed in the YAML that we applied earlier) +- Let's see which CRDs were created .exercise[ -- Wait until the `elasticsearchclusters` CRD shows up: +- List all CRDs: ```bash kubectl get crds ``` ] +This operator supports ElasticSearch, but also Kibana and APM. Cool! + +--- + +## Create the `eck-demo` namespace + +- For clarity, we will create everything in a new namespace, `eck-demo` + +- This namespace is hard-coded in the YAML files that we are going to use + +- We need to create that namespace + +.exercise[ + +- Create the `eck-demo` namespace: + ```bash + kubectl create namespace eck-demo + ``` + +- Switch to that namespace: + ```bash + kns eck-demo + ``` + +] + +--- + +class: extra-details + +## Can we use a different namespace? + +Yes, but then we need to update all the YAML manifests that we +are going to apply in the next slides. + +The `eck-demo` namespace is hard-coded in these YAML manifests. + +Why? + +Because when defining a ClusterRoleBinding that references a +ServiceAccount, we have to indicate in which namespace the +ServiceAccount is located. + --- ## Create an ElasticSearch resource -- We can now create a resource with `kind: ElasticsearchCluster` +- We can now create a resource with `kind: ElasticSearch` - The YAML for that resource will specify all the desired parameters: - - how many nodes do we want of each type (client, master, data) + - how many nodes we want - image to use - add-ons (kibana, cerebro, ...) - whether to use TLS or not @@ -260,7 +301,7 @@ Now, the StorageClass should have `(default)` next to its name. - Create our ElasticSearch cluster: ```bash - kubectl apply -f ~/container.training/k8s/elasticsearch-cluster.yaml + kubectl apply -f ~/container.training/k8s/eck-elasticsearch.yaml ``` ] @@ -269,49 +310,88 @@ Now, the StorageClass should have `(default)` next to its name. ## Operator in action -- Over the next minutes, the operator will create: +- Over the next minutes, the operator will create our ES cluster - - StatefulSets (one for master nodes, one for data nodes) - - - Deployments (for client nodes; and for add-ons like cerebro and kibana) - - - Services (for all these pods) +- It will report our cluster status through the CRD .exercise[ -- Wait for all the StatefulSets to be fully up and running: +- Check the logs of the operator: ```bash - kubectl get statefulsets -w + stern --namespace=elastic-system operator ``` + + +- Watch the status of the cluster through the CRD: + ```bash + kubectl get es -w + ``` + + + ] --- ## Connecting to our cluster -- Since connecting directly to the ElasticSearch API is a bit raw, -
we'll connect to the cerebro frontend instead +- It's not easy to use the ElasticSearch API from the shell + +- But let's check at least if ElasticSearch is up! .exercise[ -- Edit the cerebro service to change its type from ClusterIP to NodePort: +- Get the ClusterIP of our ES instance: ```bash - kubectl patch svc cerebro-es -p "spec: { type: NodePort }" + kubectl get services ``` -- Retrieve the NodePort that was allocated: +- Issue a request with `curl`: ```bash - kubectl get svc cerebro-es + curl http://`CLUSTERIP`:9200 ``` -- Connect to that port with a browser - ] +We get an authentication error. Our cluster is protected! + --- -## (Bonus) Setup filebeat +## Obtaining the credentials + +- The operator creates a user named `elastic` + +- It generates a random password and stores it in a Secret + +.exercise[ + +- Extract the password: + ```bash + kubectl get secret demo-es-elastic-user \ + -o go-template="{{ .data.elastic | base64decode }} " + ``` + +- Use it to connect to the API: + ```bash + curl -u elastic:`PASSWORD` http://`CLUSTERIP`:9200 + ``` + +] + +We should see a JSON payload with the `"You Know, for Search"` tagline. + +--- + +## Sending data to the cluster - Let's send some data to our brand new ElasticSearch cluster! @@ -321,22 +401,170 @@ Now, the StorageClass should have `(default)` next to its name. - Deploy filebeat: ```bash - kubectl apply -f ~/container.training/k8s/filebeat.yaml + kubectl apply -f ~/container.training/k8s/eck-filebeat.yaml + ``` + +- Wait until some pods are up: + ```bash + watch kubectl get pods -l k8s-app=filebeat + ``` + + + +- Check that a filebeat index was created: + ```bash + curl -u elastic:`PASSWORD` http://`CLUSTERIP`:9200/_cat/indices ``` ] -We should see at least one index being created in cerebro. +--- + +## Deploying an instance of Kibana + +- Kibana can visualize the logs injected by filebeat + +- The ECK operator can also manage Kibana + +- Let's give it a try! + +.exercise[ + +- Deploy a Kibana instance: + ```bash + kubectl apply -f ~/container.training/k8s/eck-kibana.yaml + ``` + +- Wait for it to be ready: + ```bash + kubectl get kibana -w + ``` + + + +] --- -## (Bonus) Access log data with kibana +## Connecting to Kibana -- Let's expose kibana (by making kibana-es a NodePort too) +- Kibana is automatically set up to conect to ElasticSearch -- Then access kibana + (this is arranged by the YAML that we're using) -- We'll need to configure kibana indexes +- However, it will ask for authentication + +- It's using the same user/password as ElasticSearch + +.exercise[ + +- Get the NodePort allocated to Kibana: + ```bash + kubectl get services + ``` + +- Connect to it with a web browser + +- Use the same user/password as before + +] + +--- + +## Setting up Kibana + +After the Kibana UI loads, we need to click around a bit + +.exercise[ + +- Pick "explore on my own" + +- Click on Use Elasticsearch data / Connect to your Elasticsearch index" + +- Enter `filebeat-*` for the index pattern and click "Next step" + +- Select `@timestamp` as time filter field name + +- Click on "discover" (the small icon looking like a compass on the left bar) + +- Play around! + +] + +--- + +## Scaling up the cluster + +- At this point, we have only one node + +- We are going to scale up + +- But first, we'll deploy Cerebro, an UI for ElasticSearch + +- This will let us see the state of the cluster, how indexes are sharded, etc. + +--- + +## Deploying Cerebro + +- Cerebro is stateless, so it's fairly easy to deploy + + (one Deployment + one Service) + +- However, it needs the address and credentials for ElasticSearch + +- We prepared yet another manifest for that! + +.exercise[ + +- Deploy Cerebro: + ```bash + kubectl apply -f ~/container.training/k8s/eck-cerebro.yaml + ``` + +- Lookup the NodePort number and connect to it: + ```bash + kuebctl get services + ``` + +] + +--- + +## Scaling up the cluster + +- We can see on Cerebro that the cluster is "yellow" + + (because our index is not replicated) + +- Let's change that! + +.exercise[ + +- Edit the ElasticSearch cluster manifest: + ```bash + kubectl edit es demo + ``` + +- Find the field `count: 1` and change it to 3 + +- Save and quit + + + +] ---